NSA Codebreaker Challenge 2024
nsa-codebreaker.orgThis has historically been a pretty fun challenge to do. Earlier levels are quite easy, but later levels can be quite challenging and require specialized skills (e.g. reverse engineering, binary exploitation, cryptography). There’s a decent focus on “realism” which makes the challenge series more interesting than a typical CTF. If you’re eligible to participate I’d highly recommend checking it out.
P.S. if you do well, the NSA sends you swag; I have a couple of very nice signed letters and NSA medals that look great in my office :)
After reading "Permanent Record" by Edward Snowden and "Cult of the Dead Cow" by Joseph Menn, I can't help but feel like the NSA is basically "the bad guys", and I assumed most hackers would feel the same. Are people really excited to do challenges like these for them?
I don't mean that in an accusatory way, just genuinely curious as my perspectives (one from a whistleblower and one from 80s hacker culture) are obviously not the same as those of a modern day hacker.
I'd recommend reading James Bamford for a more positive look at NSA and their charter...which is essentially math, math, and more math, and unrelated to politics within NSA anyway.
The Snowden stuff is extraordinarily excerpted to that which a contractor (Snowden) was seeing in a post 9/11 strange fiasco which did bring politics into play. Bamford predates that mess.
Here's a link, for example.
NSA is an enormous organization with many chartered activities, some small amount of which involve math, some of which is defensive and benign, some of which is offensive but understandable in the same sense our maintenance of a fleet of nuclear-powered aircraft carriers, and some of which is probably hard for anybody to get comfortable with (much of which should be halted). A lot of what NSA does is ultra-boring, and some of that should be halted too. Like every major federal government bureaucracy, NSA's most important charter is to secure more budget for NSA (which I maintain is actually an important fact to keep in mind when designing technical security countermeasures).
My point being: be wary of any attempt to characterize NSA in just a sentence or two.
Some of this puts me in mind of people's mental model of NIST as a hive of USG cryptologic activity when it is in reality like 3 very overworked cryptographers and a bunch of project managers. (Someone correct me on this, and then reach out about being on the podcast).
Have you been in Fort Meade? The Bamford books are much longer than a sentence.
> The Snowden stuff is extraordinarily excerpted to that which a contractor (Snowden) was seeing
I highly recommend you read his autobiography. The typical Beltway career in IT is getting clearance and then coming in as a contractor, there is nothing out of the ordinary here.
Adding to that, he was directly employed by the CIA from 2006 to 2009. The "contractor" line is a really sad attempt to discredit him.
The point is not discrediting but scoping what he was involved in, which for example does not intersect a different area I know personally.
While I don't really like the NSA, I certainly respect their expertise.
And their expertise is exactly what makes a challenge like this difficult and fun.
I would love to hear more about how Menn's book about a clique of nerdy teenagers shaped your opinion of NSA. (Some of those nerdy teenagers are friends of mine; we were nerdy teenagers of the same vintage. I'm not dunking on them.)
You’re right. The US IC has shown time and time again that they have no moral compass, no regard for the US Constitution, and no regard for human rights or the rule of law.
That said, neither do a lot of hackers. There is a long history of collaboration between hackers and the military-industrial complex. Silicon Valley is Silicon Valley because of the DoD. And the director of the NSA once gave the keynote at DEF-CON.
Even the best hacker movie, from which I take my nick, ends with the hackers assisting the NSA as if they are the good guys. :(
Intelligent people like Snowden don’t become as deep into the NSA as they are without a whole lot of “good guys” propaganda for many years first.
I’m sure you’re aware of this but Snowden wasn’t in the NSA. He worked for a contractor to manage their IT.
He was both! Initially working for a contractor, then for them directly. He may have again gone back to a contractor afterwards.
My understanding is that he worked for some time at CIA, but never directly for NSA.
It doesn't matter which 3 letter agency is violating the constitution. They all need to stop.
Yes. Only the 4 letter agencies are allowed to do that.
We need to rein in the USGS
God damn NASA.
That’s a distinction without a difference. He was directly CIA for a bit, and went through the revolving door to a contractor who was placed at the NSA. It really doesn’t matter which corporate entity’s name is on the pay stub; it’s all the same public-private scam. Whether or not Booz gets a percentage of the tax money firehose for running the payroll or not is of no import.
All of this is covered in his book, which is a decent read. I recommend it because it’s information dense and quick.
Furthermore, I said he was deep into the NSA (which he was), not that he was employed by them.
Someone isn't Comms Aware.
Biggest event of 2013: Snowden.
Biggest film of 2013: Frozen (Let I.T. Go)
Biggest game of 2013: Last of U.S.
The NSA was effectively blinded for a period of time. Do you think bad actors didn't take full advantage of this? Where did Snowden work prior to NSA? Why doesn't Julian Assange have a Hollywood film?
>Assange film
The Fifth Estate.
> Anyone with an email address from a recognized U.S. school or university may participate in the challenge.
Aww, that's not so fun :( Was kind of curious to participate, but seems it's US + students only. Kind of makes sense that it's US only I guess, but why only students?
It's a recruiting event.
Aha, that'd explain it. NSA only hire people fresh out of school?
They primarily do. Someone else on the thread says they do some industry hires, but everyone I know who worked there was recruited from engineering school.
I know a few people who went in as experienced hires, but the NSA in particular is happy to do high-paid contracts if you have the appropriate skills, so most of their actual employees seem to be straight out of school.
They primarily do. Someone else on the thread says they do some industry hires, but everyone I know who worked there was recruited from engineering school.
I remember a bunch of TLAs approached most of my friends in college, but never took an interest in me.
At the time I thought, "That's stupid. I'm the best phreaker in this NPA!" Later I realized this might be a liability, not an asset.
They have an internal school that's a few years long (?!) that teaches you a bunch of stuff. Or so I heard...
There are many pathways and schools internally for the different directorates. Most programs are partnered with outside schools, with some giving you course credits for internal classified work and only requiring a few outside unclassified courses to fulfill needs. Many of these are MS degrees. I got one through one of these programs. Which come in handy with restrictions on promotions / positions based on ed reqs.
Anyone in industry is already making more than the NSA can afford to pay.
No. They hire plenty out of school, but they generally are not the type to be filtered by an email domain requirement.
They are exactly the type to filter by something as "trivial" - 99% of their target audience is Math nerds with .edu emails.but they generally are not the type to be filtered by an email domain requirement.The other 1% will go the other 99% of the way to acquire the needed materials to satisfy the target condition. Which in this case, is a room-temperature check compared to the challenges.
I do not think their audience is in fact mostly math nerds.
They hire more Math PhD's than the entire economy combined.
If comparable had happened in any other field, to any other adversary, that very fact would not be as advertised.
> They hire more Math PhD's than the entire economy combined.
Does "the entire economy" include quantitative trading firms/hedge funds and alike? Feel like they'd probably be able to snap up quite a few.
They do, as do machine learning/AI firms, insurers and other actuarial firms, and, of course, academia. Like every other postgraduate specialization there are subreddits full of threads of people discussing "what am I going to do with this doctorate I'm getting if I don't end up becoming a tenure-track professor?".
“They hire more math people then anyone” and “they mostly don’t hire math people” aren’t logically inconsistent.
And the former is similarly not evidence that they mostly hire people with edu emails.
It is.
PhD's in Math are very rare, and uneconomic. Aside from Wall Street and Langley, no one outside of SV Talent recruits are paying for someone who has spent their prime thinking years considering the viability of certain types of "up-my-sleeve" numbers - no one else has that capital for specialty, almost certainly fruitlessly, since infosec advantage isn't sum-net-zero. Any APT that will pay will have a slight advantage; that opportunity cannot be simply absconded.
That is why NSA skews the average with their hiring practice, let alone indirect contractor influences - although the pure math SME's are held tighter to the chest than even private contractors can boise.
> aren’t logically inconsistent.
Sure, if you remember PhD's in Ecliptic Curve Cryptography or Number Theory or applied but pure 'XYZ' field of promising arcane mathematics are extraordinarily rare, and skew towards a certain demographic as well. The motivated, undeterred, socially-inept few.
I can tell you, objectively, statically, that those who have Math degrees have a lower chance at needing help resetting their password to their .edu email. And a much, much higher chance at actually graduating with a grace period and mental clarity to leverage it for a brief window during their opportunity. You can (kinda) check yourself at https://nces.ed.gov/ and https://analytics.usa.gov/,And the former is similarly not evidence that they mostly hire people with edu emails.As the excellence required increases, the numbers get low enough, you can hire ALL the talent. And have enough 'explanatory' budget left over for institutional-preserving things and normal bureaucratic neo-con noise.
You can hire more Math PhD's than anyone, and still mostly not hire math people.
There are very, very few Math PhD's that can, even theoretically, threaten the current risk portfolio of our nation. But if they even did exist, you would not want to signal them out by being the only one they hired.
All signals require noise. Work cannot be performed absent a temperature gradient.
PhDs in math are not in fact rare, and having attended numerous cryptography conferences I can assure you they're a lot more socially normal that computer nerds in general are.
The irony being that your mathy conferences didn't mention the observational bias of conferences themselves filtering towards "socially normal people" than "computer nerds in general"
You are comparing those who speak a language very few can fathom to a magnitude more, less specialized, more general base, which in itself, is a superset of math nerds.
Almost all math nerds are "computer nerds" to the-non STEM type.
Control for proper prevalence and youll find your circle is much smaller than you wish you would believe.
I have no idea what you are trying to say here.
You are missing the entire point.
Even if they hired the sum graduating phd class of every math program in the country it wouldn’t change the fact that math phds are not their hiring target.
They have to hire N non-math phds for every M math phd they hire to support their hiring metrics. Like every other large technical bureaucracy in the world.
None of that has anything to do with advanced capabilities and, again like every other technocracy, has to do with management and ops.
I got the point. I can be wrong then, for the collective interest.
If all the elite Ivy League math outlets followed a similar excellency distribution that would be a waste of budget. But the top 5 PhD's at the top 3 institutions are far more capable then the sum of the remaining, especially to the incredibly niche, relatively uninteresting, math domains that actually impact national security.Even if they hired the sum graduating phd class of every math program in the country
here? of course not. Math PhD's in general? not even.country it wouldn’t change the fact that math phds are not their hiring target.but the absolute best of those math PhD's already got poached; the challenge like above is dredging for raw infosec talent
they have to attract and retain the most misunderstood talent in the world in the most specific field with the smallest initial return on investment per head.
not doing so hands the lead over to adversaries, that maintain a near-constant academic/competitive edge due to domestic ...infil.
What a coincidence then, they average quite a lot more crypto-maniacs per capita then public sentiment would care to ever be let suggested.None of that has anything to do with advanced capabilities and, again like every other technocracy, has to do with management and ops.It is so bizarre that a very-well known factoid is so earnestly debated.
"Factoid" is the right word choice here.
I do not think this is even close to true.
I completed the 2022 version of this and received some nice NSA memorabilia. It is a fun challenge, but it is pretty difficult to complete it all. Looking back at 2022, it looks like maybe 100 people completed the entire challenge.
> it looks like maybe 100 people completed the entire challenge.
It looks like (https://nsa-codebreaker.org/leaderboard_2022) at least 350 schools has a "School Solve Times" that isn't null, so unless some students are enrolled in multiple schools, it seems like way more than 100 people managed to solve it.
Go to Task 9 at the bottom. 40-someting schools had people score, about 102 people scored on that task (more completed it though, not sure what the difference is, hand counted so may have miscounted).
Correct, which is why I say 100-something. For some reason, they put all the schools in every table. Just a guess, but I assume "scorers" are only people who solved it in the limited time window.
I got this error while trying to register. Does anyone know a simple way to bypass this ?
"Sorry, that email domain is not recognized. -- An email address from a recognized U.S. school or university is required. If your school's domain is not recognized, please request it to be allowed by clicking HERE"
It is kind of an issue because a lot of people lose their school email when they graduate.
Asking the same cause this is one I've never had time to do when I was in university and would like to do it now that I'm graduated.
It's for recruiting and they mainly want new grads. It's a filter not a bug.
It is a shame you can't get access as a non recruitment target though.
It's also a shame they only see recent grads as recruitment targets.
The people whom this is meant for are not the people who would complain about "needing" an EDU email and would just get one or figure out a bypass.
Options I can see:
1. You can get one from Hafis: https://hafis.net/product-category/edu-email/,
2. or host your own mail server after registering an .edu address,
3. or maybe you can find someone in your network who still has a valid .edu address and is willing to register for you.
Just looking at the site it seems they pull from an approved list of .edu domains so I think 2 probably wouldn't work unless you could social engineer you way onto the approved list. The ones sold by Hafis might not either, I didn't see a list of approved institutions readily available though.
It’s part of the test.
If you need HN commenters just to bypass the signup, you will not have a good time in the challenge :P
Just because it's a computer security challenge doesn't mean you should start breaking into the website before the challenge begins. That's akin to suggesting that boxers who were deemed not to qualify for a competition should punching the referee to prove otherwise; what's normal inside the sport can be entirely unacceptable outside it.
I agree, but it clearly says you need an edu email. Either you have an edu email, or by asking how to skip that check you're trying to circumvent the website limitations. So in spirit, you're already trying to break in, just through different means :)
If you don't have a family, the Air Force won't let you fly a plane.
You think being Omni-potent in a modern world wouldn't bring its own shade of problems?
It's more akin to the boxers who were deemed not to qualify cuz their deemed arbitrarily too old remind the judges of their youth, all in good fun.
If you cannot get access to an @edu email for long enough to verify a 2FA between Facebook familiarity and now, you likely aren't of the caliber outside of the domain specialty that can be entrusted with that magnitude of information.
If you don't have a family, the Air Force won't let you fly a plane.
Can you cite a source for this? I'm acquainted with some USAF people and have close friends with fighter pilot siblings (I know, family) and I have never heard this before. If by "family" you mean "a spouse", the people going up in trainers are too young to have built families, so that can't possibly be a DQ.
That was kinda an obvious analogous exaggeration.
Although, not too unbelievable for highly-sensitive contexts.
A pilot with less obvious motivation to go AWOL institutionally could only benefit the context.
Is that a rule, or just something you think should be a rule?
Once it's written down, it doesn't matter what it was, it's a rule
They can't because it's not true.
It sounded weird af to me.
In fairness: so too does the claim that this is a test of whether you can hack a .edu email address, like it's 1994 and the next test in their CTF is whether you can find an X.25 outdial. No, they're just recruiting from engineering schools, like everyone else!
Career tip: if hoping for a GG-whatever role at NSA, recommend not committing crimes in the process of trying to impress them. They are a lot more boring than you think they are.
well, its not a really a crime when you do it for the homeland. also not a crime if its boring.Career tip: if hoping for a GG-whatever role at NSA, recommend not committing crimes in the process of trying to impress them. They are a lot more boring than you think they are.
there's a good list of resources and lectures if you're curious to learn more:
Anyone else getting a 403?
Is it cheating to use commonplace AI? NSA are a practical bunch, they probably dont much care how one solves the problems, but AI could change the nature of such tests. The rules say no getting help from persons, which leaves the AI door open imho.
(Fysa, there is a reasonable chance that someone involved in this competition is following this topic. HN is known in the more nerdy corners of the int/defense world.)
I think it would be unlikely to be much help beyond the easy problems they start with.
I would love to see you try to get Gemini to make corporate puns, 3-figures removed from practical phishing utility.
Might be more acceptable if you use a locally hosted version, instead of someone else's.
Is it possible to view tasks from the past challenges? Just curious how it looks like
I archived what I could from the years I participated: 2018-2021:
https://github.com/luker983/nsa-codebreaker-2018
https://github.com/luker983/nsa-codebreaker-2019
Hah some networks just get a 403 forbidden accessing this
VPNs seem blocked and return 403
Maybe that’s the challenge
First thing people does is feed it into LLM